Secure your Wi-Fi against hackers in 10 steps

Source: Vsoft, 31/12/2018

An unauthorised user could be streaming pirated movies, hogging
your bandwidth and, potentially, landing you in a spot of legal
bother. They could be indulging in more nefarious activity, maybe
even trying to hack into your systems. This shouldn`t come as any
great surprise when research commissioned by Broadband Genie shows
54% of British broadband users are concerned about someone hacking
their router, yet only 19% had accessed the Wi-Fi router
configuration controls, and a measly 17% had changed the admin
password from the default.
Avast recently scanned over 4.3 million routers and found 48% had
some sort of vulnerability. Thankfully, there are plenty of tools
and tricks to identify who`s on your connection and how to get rid
of them.
1. Change the admin password
If you want to know what your wireless network is up to, you`ll
need to roll up your sleeves and head straight for the admin
gateway of your router: BT will usually default to 192.168.1.254;
Sky users should try 192.168.0.1; and all TalkTalk routers have an
internal IP of 192.168.1.1. If you`ve swapped out the supplied
router for one of your own preference, Google is your friend.
Alternatively, you can head over to routerpasswords.com â€` most
makes and models are listed there, complete with login details.
And if that doesn`t convince you to change your router from the
default settings, nothing will...
Default login settings should only be used to get up and running
out of the box, after which you should change the password to
something long and complex, and change the username if your router
allows it. Long and random is great passkey advice, which is
almost always ignored on the basis that people want to join the
Wi-Fi network without any hassle. Well, duh! Ask yourself this:
how often does any user actually have to enter the Wi-Fi password
manually? Certainly within the home, and for many small-business
scenarios, the answer is usually hardly ever after the initial
setup.
A key that`s over 20 characters long, with a randomly generated
mix of upper and lower-case alpha-numericals, with special
characters, is your best bet. LastPass` tool is excellent for
producing randomly generated and secure passwords.
2. Don`t broadcast your router details
While you`re in your router settings, you should change your
service set identifier (SSID). This is the name of your network
that the outside world sees; it commonly defaults to the router
manufacturer`s name. In light of how easy it is to find admin
logins online, best not make the hackers life any easier than it
already is. A determined hacker isn`t going to be prevented from
detecting and accessing your network simply because there`s no
SSID being broadcast, but using a random name rather than the
factory default makes sense. Not least as it suggests the user is
more security savvy than someone who is still broadcasting the
router manufacturer.
3. Disable Wi-Fi-protected setup (wps)
Wi-Fi-Protected Setup (WPS) uses the press of a button, or entry
of a PIN number, to establish an encrypted connection between a
device that supports it and your network. Advising users to
disable WPS may appear counter-intuitive, but it`s broken. It
makes use of what appears to be an eight-digit PIN code â€` but
looks can be deceiving. The last number is always a check digit,
so already the PIN is reduced to seven numbers, which makes brute-
forcing much easier. As does the fact that most routers don`t
include a cooling-off timeout between WPS guesses. Here comes the
stinger, though: as far as validation is concerned, the first four
digits are seen as a single sequence, as are the final three. That
means the possible number of combos just shrank from over ten
million to around 11,000. No wonder pen-testing tools such as
Reaver can brute-force WPS in a matter of seconds.
4. Update your firmware
The same Broadband Genie research mentioned earlier also shows
only 14% of British broadband users had updated their router
firmware â€` and, to be honest, we`re surprised it`s that high. If
you`re one of the 86%, though, do it today. Updating your router
firmware boosts your security at no cost and in very little time,
yet it`s a step that most home and small-business users fail to
take.
Why? Because our mindset is wrong. In the home, and in many small
businesses, the concept of `patch management` doesn`t exist â€` but
it should. We`re all used to watching Windows disappear into the
land of suspended resource time as it installs an update, after
all. The majority of routers will have an automatic update option,
so hunt it down and enable it. Be advised that sometimes a
firmware upgrade might default the router back to original
settings â€` do a quick check afterwards to be on the safe side.
5. Try a different dns server
Just as you can install an alternative to the firmware that runs
your router, you can choose a different Domain Name System (DNS)
server instead of the ISP default. There may come a time when the
DNS servers used by your ISP come under attack, by a distributed
denial-of-service (DDoS) attack, for example, or someone changing
the DNS to effect a cloned banking fraud. The bigger ISPs are a
target for this, since the consequences of hacking their DNS
servers would be enormous.
We`ve seen the DNS servers of the larger providers suffer
downtime, so having a backup and knowing how to flick the switch
is useful. The most common choice will be Google Public DNS server
(on 8.8.8.8 and 8.8.4.4 for the IPv4 service) or OpenDNS (on
208.67.220.220 and 208.67.222.222). There`s a setup guide at
pcpro.link/271dns, which details changing your DNS for home
routers, laptops, smartphones and servers.
Essentially, though, open your router admin panel and look for the
Domain Name Server addresses configuration page; input a primary
and secondary DNS IP. Some routers will have a third server
option, and for OpenDNS this would be 208.67.222.220. And that`s
it, other than to test it`s working by hitting the Test button on
the OpenDNS guide pages.
Certain providers prevent you from adjusting the DNS server
addresses in their own-brand routers, but you can still set
individual computers to seek alternate servers.